This forum is now a read-only archive. All commenting, posting, registration services have been turned off. Those needing community support and/or wanting to ask questions should refer to the Tag/Forum map, and to http://spring.io/questions for a curated list of stackoverflow tags that Pivotal engineers, and the community, monitor.

From the looks of the one <intercept-url> in your Spring Security configuration, it seems that *ALL* paths are being intercepted and require an authenticated user with a selection of roles. The problem is, at the point where Facebook redirects back to your app, your user isn't signed in yet (that'll be one of the next things that happens, but it hasn't happened yet). So, the Spring Security filters kick in and redirect your user to your app's sign-in page.

I recommend adding another <intercept-url> (before the existing one) that allows /signin/* requests to pass through unhindered by Spring Security.